Upload
baldwin-merritt
View
215
Download
1
Embed Size (px)
Citation preview
Open Source IDS
A Quick and Dirty Guide
Darrin Wassom
Technical Architect
The Road to Ruin? Introduction What is this thing called IDS SHADOW SNORT Distributed IDS The Future Toolkit Essentials Links/Publications of Interest Questions
Introductions
Presenter– Darrin Wassom
• Technical Architect
• Information Security Compliance Team
Foundational Presentation– By no means a definitive guide!– YMMV!
What is IDS?!?!
IDS = Intrusion Detection System Two types
– Host-based IDS (HIDS)• Tripwire is a great example
– Network-based IDS (NIDS)• ISS RealSecure, Cisco (formerly called NetRanger), Symantec
and many other commercial products available but we don’t care about those….. yet.
• SHADOW
• SNORT
SHADOW – The Granddaddy!
Secondary Heuristic Analysis for Defensive Online Warfare = SHADOW
Formerly called CIDER– Cooperative Intrusion Detection Evaluation
and Response
Developed by the Naval Surface Warfare Center (NSWC) in 1994 by Stephen Northcutt
SHADOW
Open Source components include– TCPDUMP (key component!)– OpenSSH– Apache– Tripwire– PERL
Statistical means of viewing network traffic– Patterns appear over time– Looks for network anomalies
SHADOW - Screenshots
SHADOW - Screenshots
SHADOW - Caveats
SHADOW does not provide real-time analysis in the traditional sense– Its strength lies in long term packet analysis
SHADOW is not rule-based– You won’t receive event specific alerts like “Code Red
Attack”
SHADOW has been known to cause bouts of rage, insomnia and second thoughts about career choice– It’s not easy to configure!
SHADOW – Sounds Cool…. Tell me more! Can be downloaded at
– http://www.nswc.navy.mil/ISSEC/CID/ Latest release published
– April 2003• Actively maintained by NSWC
SHADOW fork– Guy Bruneau has provided an ISO image format of
Shadow on Slackware Linux (last updated 8/2003)• http://www.whitehats.ca/main/index.html• VERY cool, check it out!
SNORT – An Open Source Star Developed by Marty Roesch in 1998 Rules-based
– also called signature-based Benefits
– easy to install– HIGHLY customizable– Flexible– FAST– Can also work as a packet sniffer
• supports BPF flags!
SNORT – Modes of Operation Packet Sniffer
– snort –v• prints headers to the screen only
– snort –vd• will show application data in transit
– snort –vde• all the above and data link layer
– snort –vd tcp and port not ssh• example of using BPF flags
– snort –vd –l /var/tmp• dumps data to a directory for future analysis
– snort –vd –L /var/tmp/test.cap• writes data to a specific file in TCPDUMP format
– snort –r /var/tmp/test.cap• opens any TCPDUMP file
SNORT – Modes of Operation
Intrusion Detection Mode– The nuts and bolts!– snort –i eth0 –c /etc/snort/snort.conf
• specifies the eth0 interface and the location of the snort configuration file (snort.conf)
– Snort Configuration• snort.conf
– Allows for any range of possibilities
– Well documented and easy to follow
SNORT – Analysis of a Rulealert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH
exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; classtype:misc-attack; sid:1812; rev:2;)
Rule Header– Action required
• alert, log, pass, user-defined
– defines network protocols
– source/destination
– traffic direction
Rule Options– Always enclosed in parentheses
– Defines which attributes must be present to trigger an event
SNORT – Tips/Tricks for Rules SID – Snort ID
– 1-100 – Reserved for Marty Roesch– 101-1000000 – Reserved for Snort Development Team– > 1000000 – Can be used for locally defined rules
Rule/Signature Maintenance– SNORT regularly updates rules and can be downloaded from their
site– Oinkmaster
• Script written to help with rule management
• http://www.algonet.se/~nitzer/oinkmaster/ Creating Custom Rules
– use TCPDUMP or Ethereal to analyze packets which you wish to be alerted on…..– Check sites like Internet Storm Center (http://isc.sans.org/) for timely rule updates
SNORT – A Problem SNORT, by itself, is great for a single probe
installation– One configuration file– One set of rules– One place to look for alerts, logs, etc
Management and Analysis becomes difficult with more than one probe– multiple conf files to maintain– rules issues– which probe do you check for analysis
SNORT – Distributed Approach
SNORT – Components to Webify!
ACID - written by Roman Danyliw– Analysis Console for Intrusion Databases– http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.
html Other Requirements (ship w/ most Linux distros)
– Web Server – Apache– PHP– SQL database – MySQL– Other misc components
Sounds difficult!!– Several EXCELLENT whitepapers are available
• Step by Step guides!
SNORT – Uh, Where?
Steven Scott– Red Hat 7.3 and 9.0– VERY detailed and HIGHLY recommended– http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf
– http://www.superhac.com/snort/docs/snort_enterprise.pdf• Steven’s site, Superhac, is intermittent. If you can’t find the site, let
me know and I’ll send a copy of the document
Local Subject Matter Expert– Mark Eanes
• Putting him on the spot!
SNORT – Show me!
SNORT – Real Time?
Near real-time alerts are available!– SWATCH
• Simple WATCHer
• http://swatch.sourceforge.net/
• Can be configured to monitor just about any type of log file
– can send email, pager or SMB popup
– Easy to configure
SNORT – Usage/Application
Detection of Privilege Escalation– DEMO
• FTP Exploit– Gain root level access to a public facing FTP server
– Would most likely go undetected
• Results in SNORT/ACID– Link
SNORT – Usage/Application Enterprise IDS
– Advantage• low cost (hardware, learning curve)• Extremely flexible
– Cons• Requires significant tuning/tweaking • Constant maintenance
– rule mgmt issues• Eternal vigilance!
– applies to ANY internal IDS presence
Augment Outsourced IDS Point Solution
– Track internal vulnerabilities on specific segment• outbound worm traffic is a great example
SNORT – The Future Evolution
– Intrusion Prevention• Flex response (user-defined)
– built-in• Snort Inline
– actively developed• Both add elements of “intelligence” to dynamically block
ports/hosts based on signatures– Event Correlation
• Analyze multiple log events– Coming soon!
– Sourcefire• Commercial arm of SNORT
– founded by Marty Roesch
Toolkit Essentials
TCPDUMP– http://www.tcpdump.org/
WINDUMP– http://windump.polito.it/
Ethereal– http://www.ethereal.com/
Links/Publications SNORT
– http://www.snort.org/ Superhac
– http://www.superhac.org SANS Reading Room
– http://rr.sans.org/ Publications (Available at Amazon)
– Snort 2.0 Intrusion Detection• Brian Caswell, Ryan Russel, Jay Beale, et al
– Intrusion Detection with Snort• Jack Koziol
– IDS with Snort: Advanced Techniques• Rafeeq Rehman
Education
SANS Institute– Education track devoted to Intrusion Detection
• http://www.sans.org
• http://www.giac.org
• GCIA – GIAC Certified Intrusion Analyst– heavy coverage of TCPDUMP, Snort and advanced
analysis techniques
Questions?